Converts user and group entries of an LDIF from one schema type to another.
The secldifconv command reads the ldif formatted input file specified by the -i option, converts the user and group data using the schema type specified by the -S option, and prints the result to stdout. If redirected to a file, the result can be added to an LDAP server with the ldapadd command or the ldif2db command.
The input file specified with the -i option can include entries in any of the above supported schemas. The secldifconv command will convert user and group entries according to the attribute mapping defined in the /etc/security/ldap/*.map files for the corresponding schema type. Only user and group entries will be converted, other entries are output unaltered.
Use of the -r option allows the removal of attributes in user and group entries that are not included in the specified output schema. If the option is not specified then unrecognized attributes are assumed to be valid and are output unaltered. Note that if the user or group attribute is defined in the schema secldifconv is converting from but not in the schema requested to convert into, then the attribute will not be output. This behavior allows for conversion between the AIX and RFC2307AIX schemas to the RFC2307 schema which contains a subset of attributes.
In releases of AIX prior to AIX 5.3, when the AIX schema was used to store entries in LDAP, the user's password was stored without an encryption prefix (that is, {crypt}). If the db2ldif command is used to generate the input file for secldifconv, passwords without an encryption prefix are output in {IMASK} format. In order to convert the {imask} format into the proper {crypt} format, the -R option should be used to specify the Loadable I&A module to read the password from for conversions from AIX schema type, assuming the system has been previously configured to be an LDAP client.
Care should be taken when adding users and groups from other systems to the LDAP server using the secldifconv command output. The ldapadd and ldif2db commands check only for entry name (user name or group name) but not for the numeric ID when adding entries. Merging users and groups from multiple servers using secldifconv output can result in sharing of a numeric ID by multiple accounts, which is a security violation. Note that IBM® Directory Server 5.2 and later supports a unique attribute feature that can be used to avoid this issue.
| Item | Description |
|---|---|
| -R load_module | Specifies the loadable I&A module used to retrieve the user's password if necessary. |
| -S schematype | Specifies the output LDAP schema type. Valid values are AIX, RFC2307, and RFC2307AIX. |
| -i inputFile | Specifies the input file in ldif format that contains user and group data to convert. |
| -r | Specifies to remove any attributes that are not defined in the specified schema type. |
This command returns the following exit values:
| Item | Description |
|---|---|
| 0 | The command completed successfully. |
| >0 | An error occurred. |
| -1 | Memory failure (that is, Memory allocation failure). |
secldifconv -S rfc2307 -i input.ldifsecldifconv -R LDAP -S rfc2307aix -i input.ldif -r > convert.ldif/usr/sbin/secldifconv
| Mode | File |
|---|---|
| r | /etc/security/ldap/2307aixgroup.map |
| r | /etc/security/ldap/2307aixuser.map |
| r | /etc/security/ldap/2307group.map |
| r | /etc/security/ldap/2307user.map |
| r | /etc/security/ldap/aixgroup.map |
| r | /etc/security/ldap/aixuser.map |